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SMART AND SECURE GATEWAY FOR PERFORMING SECURE OPERATIONS 

The present invention concerns the domain of nnrt aW u- 

v -y. iu i + nji) (io is an input/output). 



TECHNICAL FIELD 



Cards with Integrated circuit also eaiiort 

which contain one or more JZJT ^ p,as,ic 

circuit can be ,or eZZ* Z ~ed o iroults . A care w«h lntegrated 

and work with it Jad wl h7 " '■"""^ " Bh a Smart cara 
tread, wnte, delete, and/or every possible oDeratinni th- 

card reader can be part or linked with » . operation). The smart 

invention covera smart ^C jT^-**"^^ ™* 
grated CreuH **,TJ?. rlTLT* r^ " 

or s,o, to revive the Portab^bl Tso ^v Z^'^ "* " 

io be connected to the portabie L^Z^Z *** 

Z^To^^ZI 000 ' 56007 fl,ed by - ~ ~ « 

smart cart recelv ~ I^ZIZT ^ ~* - 

personal computer (PC) ve^Tce!^ COrrSSP ° ndinS ~*>~ *om a 

'' the cert,ftoa,e and transmits to display means at 
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least result Information of verification In order to check the certificate. The same 
principle applies for the message and the signature. 

When the user has checked the certificate, the message or the signature, he 
presses a button or enters a confidential code that is transmitted to the card 
through the input/output (11/01) of the card connected to the insecure 
environment. Hence, it is possible to modify the housing in which the card is 

inserted lh order t0 ta P the confidential code or data and send it over Internet or to 
send a talse acceptance to~the~eaTd; ■ 



There are many types of secure operation which require the secure input of 
information (a Personal Identification Number (PIN), a validation acknowledgment, 
a confidential data...) and which can be controlled by a smart card or any other 
secure component, in an unsecured environment constituted by a processing data 
unit for example a personal computer (PC) which can be open or not trustable. 
However, all the security brought by the smart card may be useless because PC 
is not a trustable environment : it constitutes an open system. 

For example, Internet offers many use cases where the user has to perform some 
validation on-line, for instance, when purchasing some goods, or later-on on-line 
pages (news paper, data base searching...). When validating engages the user 
responsibility, some precaution should be taken. In such case the issue is always 
how being sure the data we are validating is really the one we suppose it is. 

Entering a Personal Identification Number (PIN) might also be required, which 
when performed through the PC keyboard induce the risk of having it being 
tapped in said PC. 

These concerns have the same origin as the electronic signature issue. A Trojan " 
horse virus may perform some internal changes in the computer that makes you 
validating a data that is not really the one you think it is, or it might tap the PIN 
when the user enters it. 



The present invention consists in offering a smart and secure gateway that 
constitutes a closed, secured and controlled environment such as a smart card 
wrth at least two inputs/outputs, one is dedicated to send and receive data to and 
from an insecure environment, another is dedicated to send and receive data to 
and from a secure environment (point of sale pin pad, ATM, private pin pad 
secure network) in order to perform operations which require a security controi 
such as validating a transacHon, checking a slgnatore, encrypting or decrypting... 

BRIEF DESCRIPTION OF THE DRAWINGS 

Other purposes, features and advantages of the invention will appear on reading 
the descnption which follows of the Implementation of toe method according to the 
■nventon and of a mode of realisation of a portable object designed for this 
implementation, given as a no.Mimi.ing example, and referring to the attached 
drawings in which: 

- figure 1 is a schematic view of an example of realization of an electronic unit 
integrated In a portable object such as a smart card ; 

- figure 2 is a schematic view of a non-limiting mode of realization of a smart 
card designed to implement the method according to the present Invention- 

- ftgure 3 is a schematic view of a practical example of a use of the smart card 
according to the present invention; 

- figure 4 is a schematic view of another practical example of a use of the smart 
card according to the present invention. 



BEST WAY OF REALISING THE INVENTION 



Th,s •nvention belongs to the field of portable object t provided with at least 
memory means and connectors able to connect said portable object to at least an 
object-accepting device with which the portable object Is able to work or dialog. 

The method according to the present inventton allows to perform secure operation 
m an insecure environment by using a portable object that constitutes a smart and 
secure gateway between said insecure environment and a secure one 
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In a particular embodiment of the present invention shown in figure 1, the portable 
object 1 is a smart card with an integrated electronic unit 2: the electronic unit 2 
comprises at least a microprocessor CPU 3 with two-way connection via an 
5 internal bus 5 to a non volatile memory 7 of type ROM, EEPROM, Flash, FeRam 
or else storing at least a program to be executed, a volatile memory 1 1 of type 
RAM and input/output means 13 to communicate with the exterior. The unit 2 may 
comprise a dditional c omponents not shown, connected to the internal bus. This 
type of unit is generally manufactured as^Tnonoliflnc .n tegrated e l ectroni c^icuifr 

io or chip, which once physically protected by any known means can be assembled 
on the integrated circuit card or similar for use in various fields, such as the bank 
and/or electronic payment cards, mobile radio telephony, pay television, health 
and transport. The chip integrated in the thickness of the card is connected to a 
module which comprises a set of flat connectors 15 on the surface of the card as 

is shown on figure 2. 

The principle of the present invention is the following : 

As shown in figure 2, the portable object 1 constitutes a secured and controlled 
20 environment with at least two inputs/outputs 1 7, 1 8 (1/01 , 1/02). 

One IZO(or l/Os), the insecure l/0(s), is(are) dedicated to support the exchanges 
with an insecure or uncontrolled environment (i.e. an environment on which the 
user cannot rely without restriction such as a PC or a POS device). 

The other IZO(s), the secure l/0(s), is(are) connected to environments) on which 
the user relies (e.g. a personal PIN pad). All the information needed to perform 
the secure operation from the user is transmitted to the portable object through 
the secure inpuVoutput. ~~ ' — 

Hence, the user, knowing the insecure environment should not be used, shall 
connect a keyboard to the secure I/O connected to the secure environment to 



25 



30 



5 

send the confidential data. If this datum is a PIN, he would connect dedicated 
keyboard to the secure I/O. 



The term "connected" has a very large meaning : "connected" means that the 
5 connected devices are linked in such a way that they can transmit information with 
each other. The devices can be connected through many types of connections 
(wires, radio, ...). 

Here after is described an example of embodiment of the present invention with 
10 reference to figure 3. 

A user has a payment card. He uses it to buy goods or services on the Internet 
from home using its PC. The card is directly connected to a USB (Universal Serial 
Bus) PC host through a card accepting device 19 only made of electronic wires. It 
is compatible with USB standard, and recognized by the PC. The smart card 
application requires a PIN to be presented for payment. In order to avoid the user 
to type its PIN on the PC keyboard, a second set of connectors 20 is dedicated for 
the connection with the PIN pad 21 equipped with the adequate keyboard and 
display. 



15 



20 



25 



30 



The PC is an insecure environment because a virus could perform unwanted 
actions that the user does not see, including addressing a smart card. 

The user wants to perform a transaction over the Internet, here purchasing goods 
or services. He connects its computer to the merchant site. Having chosen the 
goods or services he wants, the user checks out the Internet site for payment. 
Having verified the list of its purchases, the user is invited to introduce his 
payment card on his reader. The user introduces his card the USB side first. A 
communication channel is established between the card and the PC through the 
card insecure 1/01. The Internet site verifies the card as it can access it 
transparently. The reading of a data in the card (e.g. application reference) allows 
detecting that the card requires a personal PIN pad to complete a payment over 



the Internet. A message asking the user to connect the personal PIN pad is 
displayed. 



The user connects the card to Its personal PIN pad. This second communication 
channel flows through the secure card 1/02. The PC powers the personal PIN pad 
through the card that relays VCC and GND connector to the PIN pad side (wires 
are coated in the card plastic body). 



The insecure ^OTls^d^e^for-rjSB communication. The secure 102 is 

rnmnafihlA un4U niM • 



w-^.wi i ■ me oouuit? \\J£ IS 

compatible with the PIN pads specific protocols. The card searches for the 
personal PIN pads. " 

The PC enters In a payment session, and receives the essential transaction data 
(pnce, goods/services list, article references, banking establishment name...) from 
the internet site. They are displayed on its screen, asking the user to confirm the 
payment session. 

The user confirms or cancels the transaction by pressing a key on its personal 
PIN pad. The key press is relayed to the PC by the smart card that receives it 
from the secure 1/02 and sends it through the insecure 1/01 . This allows verifying 
the personal PIN pad works correctly. In the mean time, the card sends the data 
required to continue the transaction to the host (a random to establish a session 
key, cryptographic keys references, authentication data...). 

To complete the transaction, the card needs the owner PIN to be presented It 
waits it from the secure I/02 in order to prevent the tapping of the insecure 1/01 
that is connected to the insecure environment. 



Hence, the card, the PIN pad and the PC enter in a PIN entering 



session. 



Each time the user press numeric key, the cart stores its value in its memory and 
sends a - (star character) to the PC. The entire PIN entering session is handled 



using the same principle. At the end. the user validates, or cancels, the PIN by 
pressing a dedicated key. 

The card verifies the PIN if it was validated. Assuming the PIN value is correct the 
card continues the transaction. Otherwise, it is canceled. 

According to another example of embodiment, rf a document has to be sent 
signed, it is prepared in a trustable environment, and sent to the secunty gateway 
that eign it (and may encypt It). Then it can be provided to a connected PC for 
sending via e-mail, or any other mean. 

The basic cryptographic functions embedded in the gateway ensure at least the 
e.gn,ng and the encryptlon/deciyption of the data, but should be drawn to all 
cryptographic functions such as authentication, privacy, non-repudiation, re pl ay 
prevention, data tagging... H ' 

Depending on the requirement, the trustable environment might be constituted by 
a trustabte PC or a network of PC or else. The most important is to forbid any 
access to such a network except through the security gateway. 

According to another example of embodiment illustrated on figure 4, a document 
with asignature to verify foilows the path 20, while a document to sign fo,,ows the 

Assuming a smart card is a very secured environment, a standalone PC, or very 
controlled PC network, can be considered as a "secured area" 

l" S ,T d T " " 0t " SeCUred 38 8 Smart °"* ° ne "» — «» » is a 
trustable working environment 

Consequently, we can define three different levels of security: 

Level 0: any standard PC, possibly connected to the Internet 
which as not been prepared for a particular security task (e.g. desktop or 
laptop PC) H 
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o Level 1 : a PC, or network of PCs, specifically designed to 
perform some tasks requiring a dedicated security level. Such computers 
are not connected to the outside word using usual means, and may not 
have any floppy, CD or DVD reader/player (i.e. inputs and outputs should 
5 be totally under control). It also should be placed in a secure office in order 

to control its access (i.e. physical access control) 

o Level 2: a smart card or equivalent, which represents here the 

highest level of security, as this consideration is taken into account from the 

beginning to the end orffslite cycle. lh1s^lso~lrTClades-softwaTe-and- 
10 hardware development, personalization consideration, security lock, ... 

The important elements to remember are: 

A security level 0 environment cannot be used for signing or verifying a document. 

This is an insecure environment 
is A security level 1 environment is not secure enough for signing or verifying a 

document. The cryptographic keys required to perform the signature are a too 

sensitive data. By the way, level 1 should be enough to edit, display or print the 

document to sign and to verify. This is a trustable environment. 

A security level 2 environment is specifically designed to handle sensitive data 
20 such as cryptographic keys. It is designed, loaded, upgraded and personalized in 

a secure environment. It is subject to security policy from its conception to its end 

of life. This is a secure environment 

The smart card ensures a security gateway function between the insecure and the 
25 trustable security environment. An adequate protocol (e.g. ber tlv) allows detecting 
protected data (using cryptographic means). If the data the smart card receives is 
not sealed, it is rejected. Assuming the smart card and the electronic device do 

not have enough memory to store a complete document, the data is sent to the 

security level 1 environment where it is temporarily stored (specific transition 
30 area). When all the data are received, and if the cryptographic verifications are 
successful, the smart card displays the result of a hashing calculation on the 
electronic device display. In the mean time, the PC placed in the security level 1 
environment performs the same calculation and display the result. The user 
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compare the two displayed hashing calculation results. If it is they are equal, then 
it validates its verification by pressing the button on the electronic device. 
Receiving the confirmation from the electronic device, the secured PC moves the 
data from the temporary storage location to the working location in order to use 
5 the data. 



In the other way, if the data is to be signed, it is sent to the smart card through the 
electronic device (from level 1 security environment). There are many other types 
of application of the present invention and for example there are applications 
where the smart card is provided with more than two inputs/outputs in order to 
receive information from different devices part of environments of different 

security levels. 
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CLAIMS 



- System for performing secure operations mat require the input of seoure 

rbtoTr™ 9 8 Pr ° CeS8in9 ** Unit (PC ' -> 10 a P°"abie 

«TT ^ b6in9 '° a **• < 2 U- oharao,e ri2 ed in 

ZT ^ ^ C ° mPriSeS at ,eaSt '"Puts/oulpuls (17. ,8, physical 
dKlmc. assrgned to be connected respecHvely wfth me prooessing dak unit and 
the dew* in order ma. me device sends said secure information ,o me portal 
object through the assigned input/output. 

2- System according to claim 1 characterized in that me onfy topic link between 
dam circulating between me portable object and me processing data uni, anTfhe 
portable object and the device is me software of the portable object. 

3- Portable object for performing secure operations which roquiro me input of 
secure ^formation intended to be connected with a processing data unit (PC > 
and with a device (21) characterized In thai said portable object comprises a. lea's 
.wo mputs/outputs (17, 18, physically distinct assigned te be connected 
respoc^ wttn me processing data unft and (he devfce |n ore|er ^ ^ 

inpul::. SeOUr9 in,0rmaB ° n ,0 *» *** trough me assigned 

5- Portable objec. according .o one of me claims 3 or 4, characterized In ,ha. .he 
only log,c link between date circulating between me portable objeel and .he 

p:r,x te uni ' and me and ,he — * - — - - 
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7- Method for performing secure operations that require the input of secure 
information in a system comprising a processing data unit (PC, ...) connected to a 
portable object (1), the portable object being connected to a device (21), 
characterized in that it consists in receiving said secure information in said 
5 portable object from said device through an inpul/output of said portable object 
assigned to be connected with said device, physically distinct from an input/output 
of said portable object assigned to be connected with said processing data unit. 

8~Method accordin^to^lalm^characterized-in^hat-the-^nly-logie-link-betweerh 
10 data circulating between the portable object and the processing data unit and the 
portable object and the device is the software of the portable object. 

9- Application of the method according to one of the claims 7 or 8 to the validation 
of information consisting in validating information by inputting secure information 

is in said device when the information to validate given by said processing data unit 
is correct and by sending the information of validation through said portable object 
assigned input/output. 

10- Computer program including program code instructions to execute the method 
20 according to one of claims 7 to 8 when said program is run in a data processing 

system. 
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ABSTRACT 



The present invention concerns a method for performing secure operations that 
requ,re the input of secure information in a system comprising a processing data 
unit (PC, ...) connected to a portable object (1), the portable object being 
connected to a device (21), characterized in that it consists in receiving said 
secure information in said portable object from said device through an input/output 
of said portable object assigned to be connected with the device, physically 
d.stinct from an inpul/output of said portable object assigned to be connected with 
the processing data unit. 



Figure of the abstract : figure 4 
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